ESET researchers have identified a new backdoor, named MQsTTang, that is attributed to the China-aligned Mustang Panda APT group. The backdoor has been part of an ongoing campaign that ESET can trace back to early January 2023. ESET has seen targets in Bulgaria and Australia and has information indicating that Mustang Panda is targeting a governmental institution in Taiwan. Due to the decoy filenames used, ESET researchers believe that political and governmental organizations in Europe and Asia are also being targeted.
MQsTTang is different from most of the group's malware, as it does not seem to be based on existing families or publicly available projects. This new backdoor provides a remote shell without any of the bells and whistles associated with the group's other malware families. However, it shows that Mustang Panda is exploring new technology stacks for its tools. The backdoor allows the attacker to execute arbitrary commands on a victim's machine and capture the output. The malware uses the MQTT protocol for Command-and-Control communication, which hasn't been used in many publicly documented malware families.
MQsTTang is distributed in RAR archives that only contain a single executable, with filenames related to diplomacy and passports. The Mustang Panda campaign is still ongoing, and the group has increased its activity in Europe since Russia's invasion of Ukraine. It remains to be seen whether this backdoor will become a recurring part of their arsenal, but it is one more example of the group's fast development and deployment cycle.